Steve Gibson and his broken IIS Condom

2001

Steve Gibson has a thing for re-inventing the wheel. He writes software that claims to do miracles of security,
when in reality they are poor implementations of technology that has been around for a while. In 2001
he wrote an "Advanced IIS Filter" to protect Microsoft IIS installations:

Advanced IIS Filter -- preemptive security for IIS

Following the "IIS Worm Wars" of 2001, it was clear that the world needed to be protected from future "Malicious URL" exploits against IIS. So I created a prophylactic filter (APF) to examine and discard
bogus URLs before they could touch and exploit IIS. Here's a sample bogus URL aimed at our hybrid, APF-protected, web server: http://www.grc.com/00000.

But do something whacky, like try to back up the directory tree,
screw around with "double URL decoding" or UNICODE, or mess with the
valid syntax for passing CGI parameters ...

http://grc.com/x/talk.exe?cmd=xover&&group=grc.news

From Maiffret:

"In the above example if you click the second link it takes you to a page
that says "Invalid Request Detected & Blocked" because his uber cool
security tool detected that two &'s is a bad thing and therefore filtered
the request. However if you send a request like
http://grc.com/x/talk.exe?cmd=xover&%u0026group=grc.news which is %u
encoded... he doesn't handle %u so it gets past his dumb crap."